Hi all,

Sorry for starting a new thread on this one, but I thought it would be a good idea to gather the methods for deleting data we know of as something separate from the current "undeleteable data" thread.

The following is what i'm aware of that we do at KDE:

Bugzilla: We merge the account to be deleted into an single anonymous account (null@kde.org). This erases all the PII collected from the user (name, email address, etc) as the data from the anonymous account takes it's place. The history also gets merged in with the anonymous account (and thus mixed in with that of every other account which we've removed).

The only thing which does get kept are the posts made by that user, which are as far as I am aware outside the scope of GDPR. There is already a script shipped with Bugzilla, contrib/merge-users.pl for this.

Mediawiki: We merge accounts here as well, same thing happens as Bugzilla. The edits stay behind but the user's details are erased forever. You can use the UserMerge extension for this.

Only place we might fall short are User: namespace pages if they've used these - while these can be purged using RevisionDelete I don't think this actually destroys the information (just hides it from everyone except those with revisiondelete permissions)

phpBB: It has functionality to allow accounts to be deleted, so you rename the account to something like "AnonymousAnimal" then delete the account, ticking the option to keep posts. It's an included part of it's functionality. The only "identifying" thing left behind is the name of the account (hence the rename before you pull the delete trigger)

Drupal: It has integrated functionality to let you cancel accounts - as part of this process you are given the option to transfer the content it created to the "Anonymous" user then delete the account (effectively equivalent what we do for Bugzilla)

Wordpress: Same situation as Drupal, it's account deletion option let's you transfer the content it created to another user.

Nextcloud: Lets you delete accounts freely from the web interface if you are a Super Administrator. Destroys everything owned by the account for good measure.

Traces of information in shared files they'd worked on would be the only concern here, for which we'd have to manually check everything they had access to (given the myriad forms data can come in, manual checks are the only way to do this in reality as automatic mechanisms are bound to miss support for one or more types of file).

Phabricator: Unfortunately it does not support merging of user accounts, and upstream strongly warn you against deleting data (they don't support it). There is a tool to do it for data including user accounts however this isn't really a solution because the history of actions taken by that account can still be reconstructed from the transaction logs kept by Phabricator (which can be freely accessed by anyone with an account via it's Conduit API)

At the moment we deal with these requests by changing the username to something anonymous and removing all other profile details which are personally identifying. This does leave the users activity history, but is otherwise a fairly complete removal and doesn't run the risk of breaking parts of Phabricator.

I'd be interested to know folks thoughts on user account merging as a solution to the problem - and whether they think any of the above aren't sufficient for compliance. Historically we haven't seen any user profile information survive account merges.

Cheers, Ben